This document provides a sample configuration for Lightweight Extensible Authentication Protocol (LEAP) authentication on an IOS®-based access point, which serves the wireless clients, as well as acts as a local RADIUS server. This is applicable to an IOS access point that runs 12.2(11)JA or later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Usually an external RADIUS Server is used to authenticate users. In some cases, this is not a feasible solution. In these situations, an access point can be made to act as a RADIUS Server. Here, users are authenticated against the local database configured in the access point. This is called a Local RADIUS Server feature. You can also make other access points in the network use the Local RADIUS Server feature on an access point. For more information on this, refer to Configuring Other Access Points to Use the Local Authenticator.

The configuration describes how to configure LEAP and Local Radius Server Feature on an access point. The Local RADIUS Server feature was introduced in Cisco IOS Software Release 12.2(11)JA. Refer to LEAP Authentication with RADIUS Server for background information on how to configure LEAP with an external RADIUS Server.

As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. This is not a new attack or new vulnerability of Cisco LEAP. You must create a strong password policy to mitigate dictionary attacks, that would include strong passwords and frequent new passwords. Refer to Dictionary Attack on Cisco LEAP for more information about dictionary attacks and how to prevent them.

This document assumes this configuration for both CLI and GUI:

The IP address of the access point is 10.77.244.194.

The SSID used is cisco, which is mapped to VLAN 1.

The usernames are user1 and user2, which are mapped to the group Testuser.

Under Local Radius Server Authentication Settings, check LEAP to make sure that LEAP authentication requests are accepted.

Define the IP address and shared secret of the RADIUS server. For Local RADIUS Server, this is the IP address of this AP (10.77.244.194).

Click Apply.

Scroll down from Local RADIUS Server under the General Setup tab and define the individual users with their usernames and passwords. Optionally, users can be associated to Groups, which is defined in the next step. This makes sure that only certain users log into a SSID.

Note: The Local RADIUS database is comprised of these individual usernames and passwords.

Scroll further down on the same page, again from the Local RADIUS Server under the General Set-Up sub tab to User Groups; define user groups and associate them to a VLAN or SSID.

Note: Groups are optional. The group attributes do not pass to Active Directory and are only locally relevant. You can add groups later, once you confirm that the base configuration works correctly.

debug dot11 aaa authenticator all—This debug shows the various negotiations that a client goes through as the client associates and authenticates through the 802.1x or EAP process from the perspective of Authenticator (Access Point). This debug was introduced in Cisco IOS Software Release 12.2(15)JA. This command obsoletes debug dot11 aaa dot1x all in that and later releases.